From owner-freebsd-ipfw Sun Jan 6 23:23:24 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from tom.dyn.dhs.org (c2020b86.adsl.oleane.fr [194.2.11.134]) by hub.freebsd.org (Postfix) with ESMTP id B0AA537B417 for ; Sun, 6 Jan 2002 23:23:20 -0800 (PST) Received: from dial.oleane.com (tom.priv [192.168.27.2]) by tom.dyn.dhs.org (8.12.1/8.12.1) with ESMTP id g077N9Xl005189 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Mon, 7 Jan 2002 08:23:16 +0100 (CET) Message-ID: <3C394CDC.4BD0AB6E@dial.oleane.com> Date: Mon, 07 Jan 2002 08:23:08 +0100 From: =?iso-8859-1?Q?Ga=EBl?= Roualland X-Mailer: Mozilla 4.79 [fr] (X11; U; Linux 2.4.15 i686) X-Accept-Language: fr, en MIME-Version: 1.0 To: cjclark@alum.mit.edu Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Reporting last packet that will get logged References: <3C38FC27.CC1E8AC9@dial.oleane.com> <20020106230118.F2029@gohan.cjclark.org> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG "Crist J. Clark" a écrit : > > On Mon, Jan 07, 2002 at 02:38:47AM +0100, Gaël Roualland wrote: > > Hello, > > > > ipfw has a nice feature of logging limit to avoid flooding the logs; > > However, one needs to reset them regurlarly, and this outputs annoying > > logging messages while often the reset wouldn't have been needed... > > > > To solve this, a while back I did a simple patch to the 4.2 ipfw(8) > > command to be able to report the number of the last packet that will be > > logged on a rule which has logging enabled, before the logging limit is > > reached. This allows to resetlogs only when one rule has reached (or is > > close to reach) its limit. > > > > Maybe this could be a feature to add to the stock ipfw command ? > > First of all, I really don't see what is so annoying about a single > log entry. A script doing some sort of analysis can easily ignore them > and a obviously a human reader can easily skip them over. > > Second, I think this is a rather awkward way to handle this. The > "reset" messages are logged at the "notice" level while 'log' rules > are logged at "info." This can be used to separate them. Sure, this is something that can be easily handled with other ways, I just find it nicer/usefull to be able to do it another way, and it doesn't need a lot to be reported since the information is present in the data structure. > Finally, I'm not sure I'm clear on, "the number of the last packet > that will be logged," means. This is actually what the kernel structures uses (at least on 4.2), but it is quite easy to convert to something more user friendly, I agree :) > I'm thinking adding a field to the 'show' > or 'list' commands when a flag is given, say '-l' for "limit," that > shows where the counter currently is would be more > straightforward. So, > > # ipfw -l list 1000 > 01000 456 deny log logamount 1000 ip from any to any > > We've logged 456 packets since the last reset. We can quickly figure > out there are 544 more to be logged before we hit the limit. That would be perfectly fine, Gaël. -- Gaël Roualland -+- gael.roualland@dial.oleane.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message